@echo off

rem Copyright Lorenzo Cantoni, MIT License

REM ############ USB Drive and directory paths must be set prior to running the script ############
set usbmemdrive=E:
set outdir=%usbmemdrive%\output
set toolkitpath=%usbmemdrive%\SysinternalsSuite
set systoolspath=%WINDIR%\system32


REM ############ Executables can be optionally renamed ############
set AUTORUNSC=autorunsc
set PSLIST=pslist
set LISTDLLS=listdlls
set COREINFO=coreinfo
set HANDLE=handle
set LOGONSESSIONS=logonsessions
set PSFILE=psfile
set PSINFO=psinfo
set PSLOGGEDON=psloggedon
set PSLOGLIST=psloglist
set PSSERVICE=psservice
set TCPVCON=tcpvcon

set WHOAMI=whoami
set SYSTEMINFO=systeminfo
set NET=net
set NBTSTAT=nbtstat
set DRIVERQUERY=driverquery
set ARP=arp
set IPCONFIG=ipconfig
set ROUTE=route
set WMIC=wmic


REM ############ main ############

echo Usb drive Letter from which this script will run is %usbmemdrive%
echo Directory from which third party tools are installed is: %toolkitpath%
echo Directory from which system commands tools are installed is: %systoolspath%
echo Output directory is: %outdir%
echo Please, ensure to run the command prompt as an administrator
echo Are these settings correct? Do you wish to continue? (y/n)
set /p continue=
IF NOT %continue%==y GOTO EXITFUNC

cd /D %usbmemdrive%

call:AUTORUNSVERBOSEFUNC
call:AUTORUNSSHORTFUNC
call:LISTPROCESSESFUNC
call:LISTDLLSFUNC
call:CPUINFOFUNC
call:HANDLEFUNC
call:LOGONSESSIONSFUNC
call:REMOTEFILEFUNC
call:PSINFOFUNC
call:PSLOGGEDONFUNC
call:LASTLOGSFUNC
call:PSSERVICEFUNC
call:TCPVCONFUNC

call:WHOAMIFUNC
call:SYSINFOFUNC
call:SHARESFUNC
call:USERSFUNC
call:NETBIOSFUNC
call:DRIVERSFUNC
call:ARPFUNC
call:DNSCACHEFUNC
call:ROUTINGFUNC
call:INSTALLEDUPDATESFUNC
call:DATEANDTIMEFUNC

call:EXITFUNC

REM ############ functions for third party tools ############

:AUTORUNSVERBOSEFUNC
echo Getting stuff which runs automatically (Autoruns - Sysinternals)
%toolkitpath%\%AUTORUNSC% /accepteula -a -c * > %outdir%\autorunsverbose.csv

:AUTORUNSSHORTFUNC
echo Getting unsigned stuff with runs automatically (Autoruns - Sysinternals) 
%toolkitpath%\%AUTORUNSC% /accepteula -a -c -m -v * > %outdir%\autorunsshort.csv

:LISTPROCESSESFUNC
echo List processes (PsList - Sysinternals)
%toolkitpath%\%PSLIST% /accepteula -t > %outdir%\pslist.log

:LISTDLLSFUNC
echo Getting loaded dlls (ListDlls - Sysinternals)
%toolkitpath%\%LISTDLLS% /accepteula -v > %outdir%\listdlls.log

:CPUINFOFUNC
echo Getting CPU information (CoreInfo - Sysinternals)
%toolkitpath%\%COREINFO% /accepteula > %outdir%\coreinfo.log
%toolkitpath%\%COREINFO% /accepteula -v >> %outdir%\coreinfo.log

:HANDLEFUNC
echo Getting open handles for each process (Handle - Sysinternals)
%toolkitpath%\%HANDLE% /accepteula -a > %outdir%\handles.log

:LOGONSESSIONSFUNC
echo Getting logged on sessions (LogonSessions - Sysinternals)
%toolkitpath%\%LOGONSESSIONS% /accepteula -p > %outdir%\logonsessions.log

:REMOTEFILEFUNC
echo Getting information about file opened over the network (PsFile - Sysinternals)
%toolkitpath%\%PSFILE% /accepteula > %outdir%\psfile.log

:PSINFOFUNC
echo Getting information about os, installed software, and drives (PsInfo - Sysinternals)
%toolkitpath%\%PSINFO% /accepteula -h -s -d > %outdir%\psinfo.log

:PSLOGGEDONFUNC
echo Getting logged on users (PsLoggedON - Sysinternals)
%toolkitpath%\%PSLOGGEDON% /accepteula > %outdir%\psloggedon.log

:LASTLOGFUNC
echo Getting last log entries for system, security and application (PsLoglist - Sysinternals)
%toolkitpath%\%PSLOGLIST% /accepteula -s system > %outdir%\psloglist.system.log
%toolkitpath%\%PSLOGLIST% /accepteula -s security > %outdir%\psloglist.security.log
%toolkitpath%\%PSLOGLIST% /accepteula -s application > %outdir%\psloglist.application.log

:PSSERVICEFUNC
echo Getting information about services (status, configuration, permissions) (PsService - Sysinternals)
%toolkitpath%\%PSSERVICE% /accepteula query > %outdir%\psservice.status.log
%toolkitpath%\%PSSERVICE% /accepteula config > %outdir%\psservice.configuration.log
%toolkitpath%\%PSSERVICE% /accepteula security > %outdir%\psservice.permissions.log

:TCPVCONFUNC
echo Getting information about network connections (TcpvCon - Sysinternals). Dns resolutions may require some time
%toolkitpath%\%TCPVCON% /accepteula -c -a > %outdir%\tcpvcon.withdns.csv
%toolkitpath%\%TCPVCON% /accepteula -c -a -n > %outdir%\tcpvcon.withoutdns.csv



REM ############ functions for system tools ############

:WHOAMI
echo Getting the current user (whoami - Windows Native)
%systoolspath%\%WHOAMI% > %outdir%\whoami.log

:SYSINFOFUNC
echo Getting information about OS, hotfixes, boot time, hardware, timezone (systeminfo - windows native)
%systoolspath%\%SYSTEMINFO% > %outdir%\systeminfo.log

:SHARESFUNC
echo Getting information about shares (net share and net file - windows native)
%systoolspath%\%NET% share > %outdir%\netshares.log
%systoolspath%\%NET% file >> %outdir%\netshares.log

:USERSFUNC
echo Getting list of users and members of the local Administrators group (net user and net localgroup - windows native)
%systoolspath%\%NET% users >  %outdir%\netusersandgroups.log
%systoolspath%\%NET% localgroup Administrators >>  %outdir%\netusersandgroups.log

:NETBIOSFUNC
echo Getting information about NetBIOS sessions and cache (nbtstat -s, nbtstat -c  - windows native)
%systoolspath%\%NBTSTAT% -s >  %outdir%\nbtstat.log
%systoolspath%\%NBTSTAT% -c >  %outdir%\nbtstat.log

:DRIVERSFUNC
echo Getting information about available drivers (driverinfo - windows native)
%systoolspath%\%DRIVERQUERY% /v /FO CSV > %outdir%\driverquery.csv

:ARPFUNC
echo Getting arp cache (arp -a - Windows native)
%systoolspath%\%ARP% -a > %outdir%\arpcache.log

:DNSCACHEFUNC
echo Getting dnscache information (ipconfig /displaydns - windows native)
%systoolspath%\%IPCONFIG% /displaydns > %outdir%\ipconfigdnscache.log

:ROUTINGFUNC
echo Getting routing table
%systoolspath%\%ROUTE% print > %outdir%\route.log

:INSTALLEDUPDATESFUNC
echo Getting installed OS patches (wmic qfe list biref - Windows native)
%systoolspath%\wbem\%WMIC% qfe list brief /format:csv > %outdir%\patches.csv

:DATEANDTIMEFUNC
echo Getting current date and time. Information about timezone are provided by "systeminfo" tool
echo %date% > %outdir%\datetime.log
echo %time% >> %outdir%\datetime.log

:EXITFUNC
echo Will now exit, press any key to continue
pause
exit
